Other Ways to Use Tracer Other Ways to Use Tracer Because Tracer provides a command line interface, a common mode of operation is to set up hourly, daily, weekly, and monthly audits.
For example, in a critical environment, it might be worth doing a few tests every hour:
tracer rhosts sendmail passwd psl
These tests are very fast, and in a properly tuned system, they will detect the most common symptoms of attack in less than a minute. A script like this one:
mv hourly oldhourly tracer rhosts sendmail passwd psl | grep -v "^Tracer Starting" | grep -v "^Tracer done"> hourly ZZ=`diff hourly oldhourly` if -n $ZZ then echo "$ZZ" | /bin/mail root fi
can be placed automatically run by "cron" to perform this task for you and send mail when anomalies are detected.
On a daily basis, it might be worth spending the time to perform more rigorous checks. For example:
tracer audred bigdirs writeables setuids changes
would be quite effective in a daily or even weekly check of your system. Again, a comparison script can be used to automatically detect new situations.